Skip to main content

Lightpanda CVE-2026-52842

| EUVDEUVD-2026-44720 CRITICAL
Origin Validation Error (CWE-346)
2026-07-15 GitHub_M
9.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
9.3 CRITICAL

Remote, unauthenticated, low-complexity single crafted URL (AV:N/AC:L/PR:N) but needs the agent to visit it (UI:R); SOP bypass crosses origins (S:C) leaking and forging cross-origin data (C:H/I:H, A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 16:49 vuln.today
Analysis Generated
Jul 15, 2026 - 16:49 vuln.today
CVE Published
Jul 15, 2026 - 16:18 cve.org
CRITICAL 9.3

DescriptionCVE.org

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated as http://victim.com, allowing a complete Same-Origin Policy bypass. This issue is fixed in version 0.3.1.

AnalysisAI

Same-Origin Policy bypass in Lightpanda headless browser before 0.3.1 allows an attacker-controlled site to impersonate an arbitrary victim origin. Because origin computation searched for the '@' userinfo delimiter across the entire URL string rather than only the authority component, a URL like http://attacker.com/@victim.com/ was fetched from attacker.com yet treated as origin http://victim.com, breaking the fundamental web isolation boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure agent to crafted URL
Delivery
Serve http://attacker.com/@victim.com/
Exploit
Origin parser misreads path @ as userinfo
Execution
Content treated as victim.com origin
Persist
Read cross-origin cookies/storage
Impact
Exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires the Lightpanda browser (version < 0.3.1) to fetch an attacker-crafted URL whose path contains an '@' followed by the target hostname, e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent toward high real-world severity for affected deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a page at http://attacker.com/@victim.com/ and lures a Lightpanda-driven automation agent or scraper into fetching it (UI:R). Lightpanda serves the attacker's content but stamps it with the origin http://victim.com, so the attacker's script can read cookies, storage, or authenticated responses scoped to victim.com and exfiltrate them, effectively bypassing the Same-Origin Policy. …
Remediation Vendor-released patch: 0.3.1 - upgrade Lightpanda to version 0.3.1 or later, which replaces whole-string '@' searching with the bounded parseAuthority() logic (see release https://github.com/lightpanda-io/browser/releases/tag/0.3.1, PR https://github.com/lightpanda-io/browser/pull/1998, and advisory https://github.com/lightpanda-io/browser/security/advisories/GHSA-mq6p-m9cc-q432). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all systems running Lightpanda to identify affected versions (any before 0.3.1) and map all business-critical automation pipelines using the tool. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy